Presented at
Black Hat Europe 2017,
Dec. 6, 2017, 10:15 a.m.
(60 minutes).
This talk discusses the risks of connected healthcare devices. It looks at the benefits of adopting IoT for medical devices, current exposure, common communication channels in use as well as interconnectivity approaches used with other critical components. Based off output from security assessments performed against medical devices widely deployed at various hospitals and medical institutions, I will present an in-depth analysis of the target medical device and elaborate on how I was able to compromise it to gain access to plethora of medical records from all the medical institutions it was deployed at and not just the one where our target device was hosted.
I will introduce the threat surface exposed by various medical devices and present some of the real-world attacks against some popular devices & their impact on humans as well as the overall ecosystem they are connected to. Some devices rely on proprietary hardware on licensed bands, which reduces the risk of interference from consumer connected devices, but doesn't provide security as implied in marketing materials. Others rely on standard Wi-Fi security measures for confidentiality and are prone to MitM attacks. Healthcare devices that implement IrDA could yield interesting results when interfaced with cheap $10 hardware.
There are many consumer items that fall under the umbrella of IoT and while it may be hard to understand the impact of hacking a toaster, we can all agree that manipulation of a medical device could lead to rather serious consequences. Apart from putting a patient's life at risk, an attacker could compromise a healthcare device to steal patient data. This presentation will primarily focus on the latter with real-world examples and a case study. I will demonstrate the compromise of a healthcare device to steal medical records, which typically include PII, health insurance data, medical history, SSNs, prescriptions etc.
Presenters:
-
Saurabh Harit
- Managing Security Consultant, Spirent Communications
Saurabh Harit works at Spirent SecurityLabs as a Managing Security Consultant where he is primarily responsible for delivering penetration testing services to Spirent clients across the globe. During his industry experience of over 12 years, Saurabh has worked across diversified industry verticals such as Banking, Aerospace, building solutions, Process & Control Systems and has developed expertise is various aspects of Information security. Saurabh specializes in web application & network security, with secret crush on binary reverse engineering. He has contributed towards proof-of-concept exploits and white papers in the infosec domain as well as delivered security trainings to various fortune 500 clients globally and at reputed security conferences such as CansecWest and Black Hat. Saurabh has presented his research at several security conferences including Derbycon, Toorcon, BSidesTO, Hack3rcon & Blackhat Europe Tools Arsenal and is author of open-source tool, Yasuo (https://github.com/0xsauby/yasuo).
Links:
Similar Presentations: